[3.5] krb5: Multiple vulnerabilities (CVE-2017-15088, CVE-2018-5709, CVE-2018-5710)
CVE-2017-15088: Buffer overflow in get_matching_data()
plugins/preauth/pkinit/pkinit_crypto_openssl.c in MIT Kerberos 5 (aka
krb5) through 1.15.2 mishandles Distinguished Name
(DN) fields, which allows remote attackers to execute arbitrary code or
cause a denial of service (buffer overflow and application
crash) in situations involving untrusted X.509 data, related to the
get_matching_data and X509_NAME_oneline_ex functions.
References:
https://nvd.nist.gov/vuln/detail/CVE-2017-15088
https://github.com/krb5/krb5/pull/707
Patch:
https://github.com/krb5/krb5/commit/fbb687db1088ddd894d975996e5f6a4252b9a2b4
CVE-2018-5709: integer overflow in dbentry->n_key_data in kadmin/dbutil/dump.c
An issue was discovered in MIT Kerberos 5 (aka krb5) through 1.16. There
is a variable “dbentry->n_key_data” in kadmin/dbutil/dump.c
that can store 16-bit data but unknowingly the developer has assigned a
“u4” variable to it, which is for 32-bit data. An attacker can use
this
vulnerability to affect other artifacts of the database as we know that
a Kerberos database dump file contains trusted data.
References:
https://nvd.nist.gov/vuln/detail/CVE-2018-5709
https://github.com/poojamnit/Kerberos-V5-1.16-Vulnerabilities
CVE-2018-5710: null pointer deference in strlen function in plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
An issue was discovered in MIT Kerberos 5 (aka krb5) through 1.16. The
pre-defined function “strlen” is getting a “NULL” string as a
parameter
value in plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c in the Key
Distribution Center (KDC), which allows remote authenticated users
to cause a denial of service (NULL pointer dereference) via a modified
kadmin client.
References:
https://github.com/poojamnit/Kerberos-V5-1.16-Vulnerabilities/tree/master/Denial%20Of%20Service%28DoS%29
https://nvd.nist.gov/vuln/detail/CVE-2018-5710
(from redmine: issue id 9304, created on 2018-08-21, closed on 2019-05-04)
- Relations:
- copied_to #9299
- parent #9299